Expose backend parameter to run container with additional permissions

[stxue1]

We want to run some of the Toil interpreters for WDL and CWL with TES under Funnel. We run TES jobs by running Toil containers, which we then pass a command through to figure out what CWL/WDL command is necessary for a certain job, which will then invoke another container to run the actual job. We do this to support reading/writing files that the underlying TES implementation cannot handle and because it simplifies things for us. For the nested container, we normally try to run it with Singularity, but Singularity needs additional permissions to run within a Docker container when the host machine has seccomp, which is very common. We would like some sort of way to specify running the TES job with certain additional Docker permissions to allow Singularity to run.

For example, some of the Docker options that we need:
docker run -it --security-opt seccomp=unconfined --security-opt systempaths=unconfined [container] ...

Running the container as privileged with CAP_SYS_ADMIN or --privileged also gets around this issue, but we think the least permissive option is the docker command above, or defining a limited seccomp profile.

[lbeckman314]

Thank you for writing this issue! We just released a new version that exposes backend parameters to allow users to run containers with custom flags:

https://github.com/ohsu-comp-bio/funnel/releases/tag/0.11.1-rc.1

---

Update Guide

The release page contains more detailed steps for configuring this option but here is a overview of the steps involved:

1. Update Funnel

Here we use the installer script to help pull and check the binary from the Release Assets page:

/bin/bash -c "$(curl -fsSL https://github.com/ohsu-comp-bio/funnel/releases/download/0.11.1-rc.1/install.sh)" -- --verbose --release 0.11.1-rc.1

2. Add the following to your Funnel config file (e.g. docker.yaml):

Worker:
  Container:
    DriverCommand: docker
    RunCommand: run -i --security-opt seccomp=unconfined --security-opt systempaths=unconfined --name {{.Name}} {{range .Volumes}}-v {{.HostPath}}:{{.ContainerPath}}:rw{{end}} {{.Image}} {{.Command}}
    PullCommand: pull {{.Image}}
    StopCommand: stop {{.Name}}

3. Start Funnel Server with the updated config

funnel server run --config docker.yaml

4. Create a new test task

➜ funnel examples hello-world > hello-world.json

➜ funnel task create hello-world.json
# cqi53isbajf230tr0gpg

5. Verify the custom flags are in System Logs

➜ funnel tasks get cqi53isbajf230tr0gpg | grep cmd
# "level='info' msg='Running command' ... cmd='docker run -i --security-opt seccomp=unconfined --security-opt systempaths=unconfined ... alpine echo hello world'" ✅

---

Let us know if there are issues with this feature and we'll be happy to take a look!